Hi Alex, Alex Band wrote: [...]
As soon as the Registry is updated and the resources are associated with the new holder, the LIR can optionally request a resource certificate for it. This does mean that a transition is not seamless; there is a gap where there is no certificate and no ROA, which has an effect on the RPKI validity state of the associated BGP announcements. More on that below.
Let's assume that there was a certificate for the full block of the current holder. Part of that space moves to a new holder. While it is "obvious", that there's no certificate for that space, it would also be "obvious", that the encompassing certificate would have to become invalid, e.g. by being revoked by the CA. Correct? If the answer is yes, such a transfer would endanger the routing stability of *both* parties? Wilfried.
Technically that shouldn't be an issue, but the selling party might be selling only a part of a certain allocation, leaving that prefix invalid and the new party need to be able to create a new valid ROA directly after the transfer.
The BGP announcement of a prefix will *not* be invalid in this case (a common misconception). There are three validity states of BGP announcements in relation to ROAs to consider:
- valid (ROA exists) - invalid (ROA exists for the prefix, but for a different ASN or max prefix length) - unknown (no ROA exists for the prefix)
So while a transfer is ongoing, the associated BGP announcements will be "unknown" because no ROA exists (yet). If this is a problem, because operators would like a system where any BGP announcement should be "valid" at all times for it to be routed, our system and processes would have to be changed to facilitate that.
Not sure btw if the current RPKI system implementation checks ROA's for that specific LIR after a transfer is done... ( Alex B might know the answer on that ... )
As said, the process is fully automated so no action is required from the transferring LIR. The LIR who receives the resources is free to request a certificate and create ROAs, if they so choose.
Cheers,
Alex